In this case the package-lock was out of sync with the package.json (it had v6.x.x while package.json had 7.x.x), so if we have more packages with the same problem we should fix them.
But if the package-lock is ok, then I think we can just merge the dependabot PRs, what’s the advantage of having it if we still send PRs manually to do the same? El martes, 7 de junio de 2022, Norman Breau <nor...@nbsolutions.ca> escribió: > > Hi Team, > > Just curious on other thoughts on Dependabot now that Apache enabled them > across the repos. Do we review and merge them as is? Should we build PRs > like https://github.com/apache/cordova-js/pull/255 to regenerate > package-lock which will result in dependent bot to close their PRs. > Case-by-case basis? > > Personally I think I favour the manual PR approach as it will squash > several dependent PRs into one, and dependabot is smart enough to notice > when their PR is out-dated. > > Cheers, > Norman > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
